diff --git a/Makefile.am b/Makefile.am
index 3242766f..bc6ad280 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -11,7 +11,8 @@ AM_CPPFLAGS = \
         -DLIBDIR=\""$(libdir)"\"                \
         -DPREFIX=\""$(prefix)"\"                \
         -DSYSCONFDIR=\""$(sysconfdir)"\"        \
-        -DVERSION=\""$(VERSION)"\"
+        -DVERSION=\""$(VERSION)"\"              \
+        -DEXTERNAL_LUKS2_TOKENS_PATH=\"${EXTERNAL_LUKS2_TOKENS_PATH}\"
 AM_CFLAGS = -Wall
 AM_LDFLAGS =
 
diff --git a/configure.ac b/configure.ac
index 2180f4ab..8aacfd8f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -657,6 +657,15 @@ test -z "$with_luks2_lock_dir_perms" && with_luks2_lock_dir_perms=0700
 DEFAULT_LUKS2_LOCK_DIR_PERMS=$with_luks2_lock_dir_perms
 AC_SUBST(DEFAULT_LUKS2_LOCK_DIR_PERMS)
 
+CS_STR_WITH([luks2-external-tokens-path], [path to directory with LUKSv2 external token handlers (plugins)], [LIBDIR/cryptsetup])
+if test -n "$with_luks2_external_tokens_path"; then
+	CS_ABSPATH([${with_luks2_external_tokens_path}],[with-luks2-external-tokens-path])
+	EXTERNAL_LUKS2_TOKENS_PATH=$with_luks2_external_tokens_path
+else
+	EXTERNAL_LUKS2_TOKENS_PATH="\${libdir}/cryptsetup"
+fi
+AC_SUBST(EXTERNAL_LUKS2_TOKENS_PATH)
+
 dnl Override default LUKS format version (for cryptsetup or cryptsetup-reencrypt format actions only).
 AC_ARG_WITH([default_luks_format],
 	AS_HELP_STRING([--with-default-luks-format=FORMAT], [default LUKS format version (LUKS1/LUKS2) [LUKS2]]),
diff --git a/lib/luks2/luks2_token.c b/lib/luks2/luks2_token.c
index ee6b5ec5..583883b3 100644
--- a/lib/luks2/luks2_token.c
+++ b/lib/luks2/luks2_token.c
@@ -131,7 +131,7 @@ crypt_token_load_external(struct crypt_device *cd, const char *name, struct cryp
 #if USE_EXTERNAL_TOKENS
 	struct crypt_token_handler_v2 *token;
 	void *h;
-	char buf[512];
+	char buf[PATH_MAX];
 	int r;
 
 	if (!external_tokens_enabled)
@@ -147,10 +147,12 @@ crypt_token_load_external(struct crypt_device *cd, const char *name, struct cryp
 
 	token = &ret->u.v2;
 
-	r = snprintf(buf, sizeof(buf), "libcryptsetup-token-%s.so", name);
+	r = snprintf(buf, sizeof(buf), "%s/libcryptsetup-token-%s.so", EXTERNAL_LUKS2_TOKENS_PATH, name);
 	if (r < 0 || (size_t)r >= sizeof(buf))
 		return -EINVAL;
 
+	assert(*buf == '/');
+
 	log_dbg(cd, "Trying to load %s.", buf);
 
 	h = dlopen(buf, RTLD_LAZY);
diff --git a/misc/fedora/cryptsetup.spec b/misc/fedora/cryptsetup.spec
index d33bb5d4..784bd6c5 100644
--- a/misc/fedora/cryptsetup.spec
+++ b/misc/fedora/cryptsetup.spec
@@ -77,6 +77,7 @@ can be used for offline reencryption of disk in situ.
 
 %install
 %make_install
+mkdir -p -m 0755 $RPM_BUILD_ROOT%{_libdir}/%{name}/
 rm -rf %{buildroot}%{_libdir}/*.la
 
 %find_lang cryptsetup
@@ -114,6 +115,7 @@ rm -rf %{buildroot}%{_libdir}/*.la
 %files libs -f cryptsetup.lang
 %license COPYING COPYING.LGPL
 %{_libdir}/libcryptsetup.so.*
+%dir %{_libdir}/%{name}/
 %{_tmpfilesdir}/cryptsetup.conf
 %ghost %attr(700, -, -) %dir /run/cryptsetup